Use GDB to debug an unsigned elf file under Android

The following is an example of debugging/system/bin/ping with the GDB tool under adb shell:

#/data/local/tmp/gdb--args/system/bin/ping
GNU gdb (GDB) 7.3.1-gg2
...
(GDB) Info target
Symbols from "/system/bin/ping".
Local exec file:
'/system/bin/ping ', file type Elf32-littlearm.
Entry point:0x1078
0x00000134-0x00000147 is. Interp
0x00000148-0x00000598 is. Dynsym
0X00000598-0X0000081E is. dynstr
0x00000820-0x00000a48 is. Hash
0X00000A48-0X00000BF0 is. Rel.dyn
0X00000BF0-0X00000DB8 is. rel.plt
0x00000db8-0x00001078 is. plt
0x00001078-0x0000436c is. Text
0x0000436c-0x00004384 is. note.android.ident
0x00004384-0x00004454 is. Arm.exidx
0X00004454-0X0000446C is. Arm.extab
0x0000446c-0x00005466 is. Rodata
0x00006d40-0x00006d48 is. Preinit_array
0X00006D48-0X00006D50 is. Init_array
0X00006D50-0X00006D58 is. Fini_array
0x00006d58-0x00006e50 is. dynamic
0x00006e50-0x00007000 is. Got
0X00007000-0X000070C0 is. Data
0x000070c0-0x0001a1ee is. BSS
(GDB) B *0x1078//Set breakpoint to the first address of text segment
Breakpoint 1 at 0x1078
(GDB) R
Starting program:/system/bin/ping
Warning:breakpoint address adjusted from 0x40003ca5 to 0X40003CA4.
Warning:
Cannot insert Breakpoint 1.
Error accessing memory address 0x1078:input/output error.


(GDB) d 1//In the kernel that opened the memory layout randomization, the above exception must occur, ignoring, directly deleting breakpoints 1
(GDB) Info target
Symbols from "/system/bin/ping".
Unix Child process:
Using the running image of child process 9782.
While running this, GDB does not access memory from ...
Local exec file:
'/system/bin/ping ', file type Elf32-littlearm.
Entry point:0x2a001078
0x2a000134-0x2a000147 is. Interp
0x2a000148-0x2a000598 is. Dynsym
0X2A000598-0X2A00081E is. dynstr
0x2a000820-0x2a000a48 is. Hash
0X2A000A48-0X2A000BF0 is. Rel.dyn
0X2A000BF0-0X2A000DB8 is. rel.plt
0x2a000db8-0x2a001078 is. plt
0x2a001078-0x2a00436c is. Text
0x2a00436c-0x2a004384 is. note.android.ident
0x2a004384-0x2a004454 is. Arm.exidx
0X2A004454-0X2A00446C is. Arm.extab
0x2a00446c-0x2a005466 is. Rodata
0x2a006d40-0x2a006d48 is. Preinit_array
0X2A006D48-0X2A006D50 is. Init_array
0X2A006D50-0X2A006D58 is. Fini_array
0x2a006d58-0x2a006e50 is. dynamic
0x2a006e50-0x2a007000 is. Got
0X2A007000-0X2A0070C0 is. Data
0x2a0070c0-0x2a01a1ee is. BSS
........

(GDB) X/32i 0x2a001078//View new text Segment assembly instructions to find Libc_init call
0x2a001078:push {R11, LR}
0x2a00107c:add R11, SP, #4
0x2a001080:sub sp, SP, #16
0X2A001084:LDR R3, [PC, #80]; 0x2a0010dc
0x2a001088:add R3, PC, R3
0x2a00108c:ldr R2, [pc, #76]; 0x2a0010e0
0x2a001090:ldr R2, [R3, R2]
0x2a001094:str R2, [R11, #-20]
0x2a001098:ldr R2, [pc, #68]; 0x2a0010e4
0x2a00109c:ldr R2, [R3, R2]
0x2a0010a0:str R2, [R11, #-16]
0x2a0010a4:ldr R2, [pc, #60]; 0x2a0010e8
0x2a0010a8:ldr R2, [R3, R2]
0x2a0010ac:str R2, [R11, #-12]
0x2a0010b0:mov R2, R11
0x2a0010b4:add R2, R2, #4
0x2a0010b8:str R2, [R11, #-8]
0x2a0010bc:sub R12, R11, #20
0x2a0010c0:ldr R0, [R11, #-8]
0x2a0010c4:mov R1, #0
0x2a0010c8:ldr R2, [pc, #28]; 0x2a0010ec
0X2A0010CC:LDR R3, [R3, R2]
0x2a0010d0:mov R2, R3
0x2a0010d4:mov R3, R12
0X2A0010D8:BL 0X2A000DCC(see note, R2 is the main function)
0x2a0010dc:andeq R5, R0, R0, LSL #29
0X2A0010E0:; <UNDEFINED> Instruction:0xffffff40
0X2A0010E4:; <UNDEFINED> instruction:0xffffff44
0x2a0010e8:; <UNDEFINED> instruction:0xffffff48
0X2A0010EC:; <UNDEFINED> instruction:0xffffff4c
0x2a0010f0:push {R11, LR}
0x2a0010f4:add R11, SP, #4
(GDB) B *0x2a0010d8
Breakpoint 2 at 0x2a0010d8
(GDB) C
Continuing.


Breakpoint 2, 0x2a0010d8 in?? ()
(GDB)p/x $r 2//View main function address
$ = 0x2a0017c9
(GDB) B *0x2a0017c9//main function on the next breakpoint, at this time libc.so is loaded, you can also b open/fputs/exit ...
Warning:breakpoint address adjusted from 0X2A0017C9 to 0X2A0017C8.
Breakpoint 3 at 0x2a0017c8
(GDB) C
Continuing.
Warning:breakpoint 3 Address previously adjusted from 0X2A0017C9 to 0X2A0017C8.


Breakpoint 3, 0x2a0017c8 in?? ()
(GDB) display/4i $pc
1:x/4i $pc
= = 0x2a0017c8:stmdb sp!, {r4, R5, R6, R7, R8, R9, R10, R11, LR}
0X2A0017CC:LDR.W R4, [pc, #2600]; 0x2a0021f8
0X2A0017D0:LDR.W R3, [PC, #2600]; 0x2a0021fc
0x2a0017d4:add R4, PC
(gdb) NI
0x2a0017cc in?? ()
1:x/4i $pc
= = 0X2A0017CC:LDR.W R4, [pc, #2600]; 0x2a0021f8
0X2A0017D0:LDR.W R3, [PC, #2600]; 0x2a0021fc
0x2a0017d4:add R4, PC
0x2a0017d6:mov R6, R0
(GDB)
0x2a0017d0 in?? ()
1:x/4i $pc
= = 0X2A0017D0:LDR.W R3, [PC, #2600]; 0x2a0021fc
0x2a0017d4:add R4, PC
0x2a0017d6:mov R6, R0
0x2a0017d8:ldr r0, [R4, R3]
(GDB)

....

Note:

Elf executable file entry, __libc_init the 3rd parameter is main:

Bionic\libc\arch-arm\bionic\crtbegin.c

__libc_hidden__ void _start () {
......
void* Raw_args = (void*) ((uintptr_t) __builtin_frame_address (0) + sizeof (void*));
__libc_init (Raw_args, NULL, &main, &array);
}

GDB uses the GDB7.3.1-GG2 source compilation generated in Android Toolchain, and the compiler tool uses Codesourcery's Arm-none-linux-gnueabi.